I know this is a cross-post, but I think I had posted the original message in the wrong board and it should've gone over here. Again, any assistance on this would be appreciated since I've hit a wall on this and can't seem to get around this problem.

I have an PBX-in-a-Flash (Asterisk) server installed behind an RB450G running RouterOS 4.1.7. I have no problems with PBX traffic going in and out, but for the life of me I cannot get a remote extension to register on the PBX.

Now, I've configured Asterisk correctly to allow the remote to connect and I can see it trying to connect to port 5060 in Service Connections but when I run sip set debug ip <expected connecting ip address> I see no traffic reaching the PBX. I've also disabled SIP helper since there's been some forum posts mentioning that it does anything other than help. I also ran Wireshark and I can see traffic getting to the MikroTik firewall so I know it's getting that far.

The extensions have their ALLOW/DENY settings cleared so the server should not be rejecting it. As it is, like mentioned above, the PBX isn't seeing the traffic so I don't believe there are any configuration issues with the PBX itself.

So, I believe there is something wrong with my NAT or firewall rules, but I'm not sure what it is I'm doing wrong.

Here are my Firewall Filter and NAT rules.

Any assistance in this would be really appreciated.

Thanks in advance!

Filter Rules

0 chain=input action=accept protocol=icmp

1 chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 chain=input action=accept connection-state=related in-interface=ether1-gateway

3 chain=input action=accept src-address=192.168.0.0/24 in-interface=!ether1-gateway

4 chain=forward action=drop src-address=0.0.0.0/8

5 chain=forward action=drop dst-address=0.0.0.0/8

6 chain=forward action=drop src-address=127.0.0.0/8

7 chain=forward action=drop dst-address=127.0.0.0/8

8 chain=forward action=drop src-address=224.0.0.0/3

9 chain=forward action=drop dst-address=224.0.0.0/3

10 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133

11 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69

12 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111

13 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139

14 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049

15 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69

16 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135

17 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049

18 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111

19 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135

20 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139

21 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445

22 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034

23 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133

24 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68

25 chain=input action=drop in-interface=ether1-gateway



NAT rules

0 chain=dstnat action=dst-nat to-addresses=192.168.0.160 to-ports=21 protocol=tcp
dst-port=21000

1 chain=dstnat action=dst-nat to-addresses=192.168.0.160 to-ports=3689
protocol=tcp dst-port=21002

2 chain=dstnat action=dst-nat to-addresses=192.168.0.147 to-ports=5900
protocol=tcp dst-port=5905

3 chain=dstnat action=dst-nat to-addresses=192.168.0.126 to-ports=80 protocol=tcp
dst-port=4001

4 chain=dstnat action=dst-nat to-addresses=192.168.0.210 to-ports=21 protocol=tcp
dst-port=21001

5 ;;; SIP - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=5060 protocol=udp
in-interface=ether1-gateway dst-port=5060

6 ;;; SIP - TCP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=5060 protocol=tcp
in-interface=ether1-gateway dst-port=5060

7 ;;; RTP - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=10000-20000
protocol=udp in-interface=ether1-gateway dst-port=10000-20000

8 ;;; IAX - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=4569 protocol=udp
dst-port=4569

9 X chain=dstnat action=dst-nat to-addresses=192.168.0.25 dst-address=76.26.177.130

10 X chain=srcnat action=src-nat to-addresses=76.26.177.130 src-address=192.168.0.25

11 chain=srcnat action=masquerade out-interface=ether1-gateway

No one's run into this issue? I really could use some help here because the only possible solution I've heard is to setup a VPN and bypass the firewall entirely.

The sad thing was that we had the PBX before running behind a Buffalo POS router and were able to do a remote Asterisk extension without an issue. I just can't believe that this wouldn't work with MikroTik, which is a much, much better router.

Thanks in advance for any sort of assistance.

There's probably something missing in the information you've provided. I can't see why this wouldn't work, but maybe with a bit more interactive debugging we could solve this.

Do you ever visit the #mikrotik IRC channel on irc.freenode.net?

There's probably something missing in the information you've provided. I can't see why this wouldn't work, but maybe with a bit more interactive debugging we could solve this.

Do you ever visit the #mikrotik IRC channel on irc.freenode.net?

No, can't say that I have. Haven't been on an IRC channel in a while.

When's a good time for me to drop in?

I may be trying out the VPN idea also to see if that might be a way around this issue as suggested to me by RocNoc.

I'm in there now. Should be around for another hour or so.